Ross Wolf
216 lines
3.4 KiB
JSON
216 lines
3.4 KiB
JSON
{
|
|
"channel_name": [
|
|
"winlog.channel"
|
|
],
|
|
"command_line": [
|
|
"process.command_line",
|
|
"process.args"
|
|
],
|
|
"destination_address": [
|
|
"destination.ip"
|
|
],
|
|
"destination_port": [
|
|
"destination.port",
|
|
"server.port"
|
|
],
|
|
"effective_gid": [
|
|
"user.group.id"
|
|
],
|
|
"effective_group_name": [
|
|
"user.group.name"
|
|
],
|
|
"effective_uid": [
|
|
"user.id"
|
|
],
|
|
"effective_user_name": [
|
|
"user.name"
|
|
],
|
|
"endpoint.core_os": [
|
|
"host.os.platform"
|
|
],
|
|
"endpoint.hostname": [
|
|
"host.hostname"
|
|
],
|
|
"endpoint.ip_address": [
|
|
"host.ip"
|
|
],
|
|
"endpoint.mac_address": [
|
|
"host.mac"
|
|
],
|
|
"endpoint.name": [
|
|
"host.name"
|
|
],
|
|
"endpoint.operating_system": [
|
|
"host.os.full"
|
|
],
|
|
"event_id": [
|
|
"winlog.event_id"
|
|
],
|
|
"event_message": [
|
|
"winlog.message",
|
|
"winlog.event_data.*"
|
|
],
|
|
"eventlog_user_sid": [
|
|
"winlog.user.sid"
|
|
],
|
|
"file_name": [
|
|
"file.name",
|
|
"file.extension"
|
|
],
|
|
"file_path": [
|
|
"file.path"
|
|
],
|
|
"fileid": [
|
|
"file.inode"
|
|
],
|
|
"http_request": [
|
|
"http.request.method",
|
|
"http.request.referrer",
|
|
"http.version",
|
|
"http.*"
|
|
],
|
|
"imphash": [
|
|
"file.hash.imphash"
|
|
],
|
|
"in_packet_count": [
|
|
"source.packets",
|
|
"destination.packets"
|
|
],
|
|
"ip_address": [
|
|
"source.ip"
|
|
],
|
|
"logon_type": [
|
|
"winlog.event_data.LogonType"
|
|
],
|
|
"machine_id": [
|
|
"host.id"
|
|
],
|
|
"md5": [
|
|
"process.hash.md5",
|
|
"file.hash.md5"
|
|
],
|
|
"opcode": [
|
|
"winlog.opcode"
|
|
],
|
|
"out_packet_count": [
|
|
"source.packets",
|
|
"destination.packets"
|
|
],
|
|
"parent_pid": [
|
|
"process.parent.id"
|
|
],
|
|
"parent_process_name": [
|
|
"process.parent.name"
|
|
],
|
|
"parent_process_path": [
|
|
"process.parent.executable"
|
|
],
|
|
"pid": [
|
|
"process.pid"
|
|
],
|
|
"ppid": [
|
|
"process.parent.pid"
|
|
],
|
|
"process_name": [
|
|
"process.name"
|
|
],
|
|
"process_path": [
|
|
"process.executable"
|
|
],
|
|
"protocol": [
|
|
"network.transport"
|
|
],
|
|
"provider_guid": [
|
|
"winlog.provider_guid"
|
|
],
|
|
"provider_name": [
|
|
"winlog.provider_name"
|
|
],
|
|
"query_name": [
|
|
"dns.question.name"
|
|
],
|
|
"query_options": [
|
|
"dns.flags"
|
|
],
|
|
"query_results": [
|
|
"dns.answers.data"
|
|
],
|
|
"query_status": [
|
|
"dns.response_code"
|
|
],
|
|
"query_type": [
|
|
"dns.type"
|
|
],
|
|
"severity": [
|
|
"event.severity"
|
|
],
|
|
"sha1": [
|
|
"process.hash.sha1",
|
|
"file.hash.sha1"
|
|
],
|
|
"sha256": [
|
|
"process.hash.sha256",
|
|
"file.hash.sha256"
|
|
],
|
|
"source_address": [
|
|
"source.address",
|
|
"source.ip",
|
|
"client.address"
|
|
],
|
|
"source_port": [
|
|
"source.port",
|
|
"client.port"
|
|
],
|
|
"source_process_name": [
|
|
"process.name"
|
|
],
|
|
"source_process_path": [
|
|
"process.executable"
|
|
],
|
|
"subject_domain_name": [
|
|
"winlog.event_data.SubjectDomainName"
|
|
],
|
|
"subject_logon_id": [
|
|
"winlog.event_data.SubjectLogonId"
|
|
],
|
|
"subject_user_name": [
|
|
"winlog.event_data.UserName"
|
|
],
|
|
"subject_user_sid": [
|
|
"winlog.event_data.UserSid"
|
|
],
|
|
"target_domain_name": [
|
|
"winlog.event_data.TargetDomainName",
|
|
"user.domain"
|
|
],
|
|
"target_logon_id": [
|
|
"winlog.event_data.TargetLogonId"
|
|
],
|
|
"target_user_name": [
|
|
"user.name"
|
|
],
|
|
"task": [
|
|
"winlog.task"
|
|
],
|
|
"tid": [
|
|
"process.thread.id"
|
|
],
|
|
"timestamp": [
|
|
"@timestamp"
|
|
],
|
|
"total_in_bytes": [
|
|
"destination.bytes"
|
|
],
|
|
"total_out_bytes": [
|
|
"source.bytes"
|
|
],
|
|
"user_domain": [
|
|
"user.domain"
|
|
],
|
|
"user_name": [
|
|
"user.name"
|
|
],
|
|
"user_sid": [
|
|
"user.identifer"
|
|
]
|
|
} |